将ARM模板部署到Azure资源组时授权错误
我正在尝试将几个ARM模板部署到PowerShell现有的Azure资源组(RG1)。但是,我在这样做时会遇到授权错误。奇怪的是,我不是在其他已经存在的资源组(RG2)上执行相同的活动时遇到这些问题。
我认为以下信息是相关的:
- 我只是在通过PowerShell部署到RG1时遇到问题,我是 能够通过Azure门户在RG1中手动创建资源。
- 我正在为PowerShell和Azure门户使用相同的Azure帐户。
- Azure帐户具有RG1和RG2的“贡献者”角色。
在尝试将ARM模板资源部署到RG1时,我会收到
New-AzTemplateSpec `
~~~~~~~~~~~~~~~~~~~~
Operation returned an invalid status code 'Forbidden'
以下
New-AzResourceGroupDeployment `
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17:01:55 - Error: Code=AuthorizationFailed; Message=The client '[email protected]' with object id [objectid] does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/[subscriptionid]/resourcegroups/RG-ABC/providers/Microsoft.Resources/deployments/[deploymentid]' or the scope is invalid. If access was recently granted, please refresh your credentials.
错误RG1和RG2之间的策略或访问控制配置的差异。它们似乎完全一样,但是显然不是。
I'm trying to deploy a couple ARM templates to an existing Azure Resource Group (RG1) from PowerShell. I'm getting authorisation errors while doing so though. The strange thing is that I'm not having those issues while performing the same activities on another, already existing, resource group (RG2).
I think the following information is relevant:
- I'm only having the issues while deploying to RG1 via PowerShell, I'm
able to create resources manually in RG1 via the Azure Portal. - I'm using the same Azure account for PowerShell and for the Azure Portal.
- The Azure account has the 'Contributor' role for both RG1 and RG2.
I'm receiving the following error when trying to deploy ARM Template Spec resources to RG1:
New-AzTemplateSpec `
~~~~~~~~~~~~~~~~~~~~
Operation returned an invalid status code 'Forbidden'
I'm receiving the following error when trying to actually 'run' the ARM templates on the RG1:
New-AzResourceGroupDeployment `
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17:01:55 - Error: Code=AuthorizationFailed; Message=The client '[email protected]' with object id [objectid] does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/[subscriptionid]/resourcegroups/RG-ABC/providers/Microsoft.Resources/deployments/[deploymentid]' or the scope is invalid. If access was recently granted, please refresh your credentials.
The frustrating thing is that I can't find any differences in policies or access control configuration between RG1 and RG2. They seems to be exactly the same, but of course they obviously aren't.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不确定没有看到其余的代码,但请确保您登录:
login -azaccount- 确保您正在使用贡献者使用Azure帐户登录,它将向您显示在帐户下的电子邮件您登录然后要设置Azure订阅上下文,
然后您可以运行
I'm not sure without seeing the rest of your code but make sure you login:
Login-AzAccount- make sure you are logging in with your azure account with contributor, it will show you email under the account you loginThen you want to set your azure subscription context
Then you can run your